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Type systems certify program properties in a compositional way. From a bigger program one can 
abstract out a part and certify the properties of the resuhing abstract program by just using the type 
of the part that was abstracted away. Termination and productivity are non-trivial yet desired pro- 
gram properties, and several type systems have been put forward that guarantee termination, com- 
positionally. These type systems are intimately connected to the definition of least and greatest 
fixed-points by ordinal iteration. While most type systems use "conventional" iteration, we consider 
inflationary iteration in this article. We demonstrate how this leads to a more principled type system, 
with recursion based on well-founded induction. The type system has a prototypical implementa- 
tion, MiniAgda, and we show in particular how it certifies productivity of corecursive and mixed 
recursive-corecursive functions. 

1 Introduction: Types, Compositionality, and Termination 

While basic types like integer, floating-point number, and memory address aiise on the machine-level of 
most current computers, higher types like function and tuple types are abstractions that classify values. 
Higher types serve to guarantee certain good program behaviors, like the classic "don't go wrong" ab- 
sence of runtime eiTors [Mil78]. Such properties are usually not compositional, i. e., while a function / 
and its ai^gument a might both be well-behaved on their own, their application fa might still go wrong. 
This issue also pops up in termination proofs: take f = a = Xx.xx, then both are terminating, but their 
application loops. To be compositional, the property terminating needs to be strengthened to what is of- 
ten called reducible [Gir72] or strongly computable [Tai67], leading to a semantic notion of type. While 
the bare properties are not compositional, typing is. 

Type polymorphism [Rey74, Gir72, Mil78] has been invented for compositionality in the opposite 
direction: We want to decompose a larger program into smaller paits such that the well-typedness of 
the parts imply the well-typedness of the whole program. Consider {Xx.x) {Xx.x)true, a simply-typed 
program which can be abstracted to let id = Xx.x in id id true. The two occuiTcnces of id have different 
type, namely Bool — Bool and (Bool — > Bool) — )• Bool — > Bool, and the easiest way to type check 
the new program is to just inline the definition of id. This trick does not scale, however, making type 
checking infeasible and separate compilation of modules impossible. The accepted solution is to give id 
the polymorphic type MX.X — > X which can be instantiated to the two required types of id. 

Termination checking, if it is to scale to software development with powerful abstractions, needs 
to be compositional. Just like for other non-standard analyses, e. g., strictness, resource consumption 
and security, type-based termination promises to be a model of success. Current termination check- 
ers, however, like foetus [AA02, WahOO, AD 10], the one of Agda [Nor07], and Coq's guardedness 
check [Gim95, BarlOb] are not type-based, but syntactic. Let us see how this affects compositionality. 
Consider the following recursive program defined by pattern matching. We use the syntax of MiniAgda 
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[Abe 10], in this and all following examples. 

fun everyOther : [A : Set] — > List A — > List A 
{ everyOther A nil = nil 

; everyOther A (cons a nil) = nil 

; everyOther A (cons a (cons a' as)) = cons a (everyOther A as) 
} 

The polymorphic function everyOther returns a list consisting of every second element of the input list. 
Since the only recursive call happens on sublist as of the input list cons a (cons a' as), termination 
is evident. We say that the call argument decreases in the structural order, this order, plus lexicographic 
extensions, is in essence the termination order accepted by the proof assistants Agda, Coq, and Twelf 
[PieOl]. 



The function distinguishes on the empty list, the singleton list, and lists with at least 2 elements. Such 
a case distinction is used in list sorting algorithms, too, so we may want to abstract it from everyOther. 
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List A 
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fun zeroOneMany : [A 
(zero : C) — 
(one : A 
(many : A 
C 

{ zeroOneMany A nil 

; zeroOneMany A (cons a nil) 

; zeroOneMany A (cons a (cons a' as)) 

} 



[C : Set] 



zero one many 
zero one many 
zero one many 



zero 
one a 
many a 



as 



After abstracting away the case distinction, termination is no longer evident; the program is rejected by 
Agda's termination checker foetus. 

fun everyOther : [A : Set] — List A — List A 
{ everyOther A 1 = zeroOneMany A 1 (List A) 
nil 

(A a -> nil) 

(A a a' as — cons a (everyOther A as)) 

} 

Whether the recursive call argument as is structurally smaller than the input 1 depends on the definition 
of zeroOneMany. In such situations, Coq's guardedness check may inline the definition of zeroOneMany 
and succeed. Yet in general, as we have discussed in the context of type checking, inlining definitions is 
expensive, and in case of recursive definitions, incomplete and brittle. CuiTcnt Coq [INRIO] may spend 
minutes on checking a single definition, and fail nevertheless. 



Type-based termination can handle abstraction as in the above example, by assigning a more infor- 
mative type to zeroOneMany that guarantees that the list passed to many is structurally smaller than the 
list analyzed by zeroOneMany. Using this restriction, termination of everyOther can be guaranteed. To 
make this work, we introduce a purely administrative type Size and let variables i, j, and k range over 
Size. The type of lists is refined as List A i, meaning lists of length < /. We also add bounded size 
quantification r\j<r'^{j)^ concrete syntax [j < i] ^ T j, which lets j only be instantiated to sizes 
strictly smaller than i. The refined type of zeroOneMany thus becomes: 
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fun zeroOneMany : [A : Set] [i : Size] List A i ^ [C : Set] 



(zero 
(one 
(many 
C 



A ^ C) ^ 

[j < i] ^ A ^ A ^ List A j ^ C) 



The list passed to many is bounded by size j , which is strictly smaller than j . This is exactly the infor- 
mation needed to make everyOther termination-check. 

Barthe et. al. [BGP06] study type-based termination as an automatic analysis "behind the curtain", 
with no change to the user syntax of types. Size quantification is restricted to rank-1 quantifiers, known as 
ML-style quantification [Mil78]. This excludes the type of zeroOneMany, which has a rank-2 (bounded) 
quantification. Higher-rank polymorphism is not inferable automatically, yet without it we fall short of 
our aim: compositional termination. Anyway, the prerequisite for inference is the availability of the 
source code, which fails for abstract interfaces (such as parametrized modules in Agda, Coq, or ML). 
Thus, we advocate a type system with explicit size information based on the structural order. It will be 
presented in the remainder of this article. 



2 Sizes, Iteration, and Fixed-Points 

In the following, rather than syntactic we consider semantic types such as sets of terminating terms. We 
assume that types form a complete lattice (=3^,^,0)0) with least element _L and greatest element T. 
Further, let the usual type operators + (disjoint sum), x (Cartesian product), and — > (function type) have 
a sensible definition. 

Inductive types jJ-F, such as List A, are conceived as least fixed points of monotone type constructors 
F, for lists this being FX = T +A x X. Constructively [CC79], least fixed points are obtained on a 
U-semilattice by ordinal iteration up to a sufficiently large ordinal 7. Let IJ."F denote the ath iterate or 
approximant, which is defined by transfinite recursion on a: 

zero ordinal: least element of the lattice 
jj^a+i f = f(jLt"f) successor ordinal: iteration step 
fl^ F = Ua<AM"^ limit ordinal: upper limit 

For monotone F, iteration is monotone, i.e., C H^F for a < /3. At some ordinal 7, which we 
call closure ordinal of this inductive type, we have = n'^F for all a > 7 — the chain has become 
stationary, the least fixed point has been reached. For polynomial F, i. e., those expressible without a 
function space, the closure ordinal is (O. The index a to the approximant jLt"f is a strict upper bound on 
the height of the well-founded trees inhabiting this type; in the case of lists (which are linear trees) it is 
a strict upper bound on the length. 

Dually, coinductive types vF are constructed on a fl-semilattice by iteration from above. 

v" F = T zero ordinal: greatest element of the lattice 

yU+i p _ p (v"F) successor ordinal: iteration step 
F = C\a<X lirnit ordinal: lower limit 

Iteration from above is antitone, i.e., v"F ^ v^f for a < j8. The chain of approximants starts with 
the all-type T and descends towards the greatest fixed-point vF. In case of the above F this would be 
CoList A, the type of possibly infinite lists over element type A. The index a in the approximant v"F 
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could be called the depth of the non-well-founded trees inhabiting this type. It is a lower bound on how 
deep we can descend into the tree before we hit undefined behavior (T). 

The central idea of type-based termination, going all the way back to Mendler [Men87], Hughes, 
Pareto, and Sabry [HPS96], Gimenez [Gim98], and Amadio and Coupet-Grimal [ACG98] is to introduce 
syntax to speak about approximants in the type system. Common to the more expressible systems, such 
as Barthe et. al. [BGROSa] and Blanqui [Bla04] is syntax for ordinal variables /, ordinal successor sa 
(MiniAgda: $a), closure ordinal oo (MiniAgda: #) and data type approximants D" (MiniAgda: e. g.. 
List A i). Hughes et. al. and the author [AbeOSb] have also quantifiers V/. T over ordinals (MiniAgda: 
[i : Size] T). 

How do we get a recursion principle from approximants? Consider the simplest example: construct- 
ing an infinite repetition r of a fixed element a by corecursion. After assembling the colist-constructor 
cons : A — > CoList A i CoList A (/ + 1) on approximants, we give a recursive equation r = cons a r 
with the following typing of the r.h.s. 

/ : Size, r : CoList A / h cons a r : CoList A (/+ 1) 

The types certify that each unfolding of the recursive definition of r increases the number of produced 
colist elements by one, hence, in the limit we obtain an infinite sequence and, in particular, r is productive. 
Our example is a special instance of the recursion principle of type-based termination, expressible as type 
assignment for the fixpoint combinator: 

/ : V/. r/^r (/+1) 

fix / : V/. T i 

(Take T = CoList A and / = Ar. cons a r to reconstruct the example.) The fixed-point rule can be justified 
by transfinite induction on ordinal index /. While the successor case is covered by the premise of the rule, 
for zero and limit case the size-indexed type T must satisfy two conditions: T = T (bottom check) and 
r\a</i'^^ C r A for limit ordinals A [HPS96]. The latter condition is non-compositional, but has a 
compositional generalization, upper semi-continuity na<A Uce</5<A C r A [AbeOSb]. 

The soundness of type-based termination in different variants for different type systems has been as- 
sessed in at least 5 PhD theses: Barras [Bar99] (CIC), Pareto [ParOO] (lazy ML), Frade [Fra03] (STL), the 
author [Abe06] (F'"), and Sacchini [Sacll] (CIC). Recendy, Barras [BarlOa] has completed a compre- 
hensive formal verification in Coq, by implementing a set-theoretical model of the CIC with type-based 
termination. 

However, type-based termination has not been integrated into bigger systems like Agda and Coq. 
There are a number of reasons: 

1. Subtyping. 

The inclusion relation between approximants gives rise to subtyping, and for dependent types, 
subtyping has not been fully explored. While there are basic theory [ACOl, Che97], substantial 
work on coercive subtyping [Che03, LAOS] and new results on Pure Subtype Systems [Hut 10], 
no theory of higher-order polarized subtyping [Ste9S, AbeOSa] has been formulated for dependent 
types yet. In practice, the introduction of subtyping means that already complicated higher-order 
unification has to be replaced by preunification [QN94]. 

2. Erasure. 

Mixing sizes into types and expressions means that one also needs to erase them after type check- 
ing, since they have no computational significance. The type system must be able to distinguish 
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relevant from irrelevant parts. This is also work in progress, partial solutions have been given, 
e. g., by BaiTas and Bernardo [BB08] and the author [Abel 1]. 

3. Semi-continuity. 

A technical condition like semi-continuity can kill a system as a candidate for the foundation of 
logics and programming. It seems that it even deters the experts: Most systems for type-based ter- 
mination replace semi-continuity by a rough approximation, trading expressivity for simplicity — 
Pareto and the author being notable exceptions. 

4. Pattern matching. 

The literature on type-based termination is a bit thin when it comes to pattern matching. Pattern 
matching on sized inductive types has only been treated by Blanqui [Bla04]. Pattern matching on 
coinductive types is known to violate subject reduction in dependent type theory (detailed analysis 
by McBride [McB09]). Deep matching on sized types can lead to a surprising paradox [Abe 10]. 

While items 1 and 2 require more work, items 3 and 4 can be addressed by switching to a different 
style of type-based termination, which we study in the next section. 

3 Inflationary Iteration and Bounded Size Quantification 

Sprenger and Dam [SD03] note that for monotone F, 

and base their system of circular proofs in the pL-calculus on this observation. They introduce syntax 
for unbounded 3/ and bounded 3j < i ordinal existentials and for approximants /i' (cf. Dam and Gurov 
[DG02] and Schopp and Simpson [SS02]). Induction is well-founded induction on ordinals, and no 
semi-continuity is required. 

A first thing to note is that if we take above equation as the definition for /i"F, the chain a ^ jX^F 
is monotone regardless of monotonicity of F. This style of iteration from below is called inflationary 
iteration and the dual, deflationary iteration, 

v"F= f] Fiv^F) 

fi<a 

always produces a descending chain. While inflationary iteration of F becomes stationary at some closure 
ordinal 7, the limit jX^F is only a pre-fixed point of F, i.e..,F {pL'^F) C ji'^F. This means we can construct 
elements in a inflationary fixed-point as usual, but not necessarily analyze them sensibly. Unless F is 
monotone, destructing an element of /i^F yields only an element of F (fJ-^F) for some /3 < 7 and not 
one of F {pi^F). Dually, deflationary iteration reaches a post-fixed point V^F C F {v'^F) giving the usual 
destructor, but the constructor has type (Vj8 < y. F (v'^F)) v^F . 

While we have not come across a useful application of negative inflationary fixed points in program- 
ming, inflationary iteration leads to "cleaner" type-based termination. Inductive data constructors have 
type {3j < i. F [pL^F)) — /I'f , meaning that when we pattern match at inductive type /I'f , we get a 
fresh size variable j < i and a rest of type F {ix^F). This is the "good" way of matching that avoids 
paradoxes [AbelO]; find it also in Ban^as [BarlOa]. Coinductive data has type v'F = \/j < i. F [v^F), 
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akin to a dependent function type. We cannot match on it, only apply it to a size, preventing subject re- 
duction problems mentioned in the previous section. Finally, recursion becomes well-founded recursion 
on ordinals, 

/ : V/. (Vj < /. Tj)^T i 
fix / : V/. T i 

with no condition on T. Also, just like in PiSigma [ADLOlO], we can dispose of inductive and coinduc- 
tive types in favor of recursion. We just define approximants recursively using bounded quantifiers; for 
instance, sized streams are Stream A i = Vj < /. A x Stream A j, and in MiniAgda: 

cofun Stream : +(A : Set) -(i : Size) Set 
{ Stream Ai=[j<i]— !>A & Stream A j 
} 

MiniAgda checks that Stream A i is monotone in element type A and antitone in depth /, as specified 
by the polarities + and - in the type signature. If we erase sizes to () and Size to the non-informative 
type T, we obtain Stream A () = T — )• A x Stream A () which is a possible representation of streams in 
call-by-value languages. Thus, size quantification can be considered as type lifting, size application as 
forcing and size abstraction as delaying. 

let tail [A : Set] [i : Size] (s : Stream A $1) : Stream A i 
= case (s i) { (a, as) — ^ as } 

Taking the tail requires a stream of non-zero depth /+ 1. Since s : Vj < (/+ 1). A x Stream A j, we can 
apply it to / {force it) and then take its second component. 

Zipping two streams sa = ao,ai,... and sb = bo,bi,... with a function / yields a stream sc = 
f{ao,bo),f{ai,bi),. . . whose depth is the minimum of the depths of sa and sb. Since depths are lower 
bounds, we can equally state that all three streams have a common depth /. 

cofun zipWith : [A, B, C : Set] (f : A ^ B C) 

[i : Size] (sa : Stream A i) (sb : Stream B i) — > Stream C i 
{ zipWith ABCfisasbj= 

case (sa j, sb j) : (A & Stream A j) & (B & Stream B j) 

{ ((a, as), (b, bs)) ^ (£ a b, zipWith A B C f j as bs) 

} 

} 

Forcing the recursively defined stream zipWith A B C f i sa sb hy applying it to j < i yields a head-tail 
pair (/ a b, zipWith A B C f j as bs) which is computed from heads a and b and tails as and bs of the 
forced input streams sa j and sb j. The recursion is well-founded since j < i. 

The famous Haskell one-line definition fib = Q : 1 : zipWith (+)fib (tail fib) of the Fi- 
bonacci stream 8:1:1:2:3:5:8:13... can now be replayed in MiniAgda. 

cofun fib : [i : Size] | i | Stream Nat i 
{ fib i = A j (zero, 
A k (one , 

zipWith Nat Nat Nat add k 
(fib k) 

(tail Nat k (fib j)))) 

} 

The I i I in the type explicitly states that ordinal / shall serve as termination measure (syntax due to 
Xi [Xi02]). Note the two delays Xj < i and Xk < j and the two recursive calls, both at smaller depth 
j,k < i. Such a definition is beyond the guardedness check [Coq93] of Agda and Coq, but here the type 
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system communicates that zipWith preserves the stream depth and, thus, productivity. 

While our type system guarantees termination and productivity at run-time, strong normalization, in 
particular when reducing under A-abstractions, is lost when coinductive types are just defined recursively. 
Thus, equality testing of functions has to be very intensional (a-equality [ADLOlO]), since testing 77- 
equality may loop. McBride [McB09] suggests an extensional propositional equality [AMS07] as cure. 

Having explained away inductive and coinductive types, mixing them does not pose a problem any- 
more, as we will see in the next section. 

4 Mixing Induction and Coinduction 

A popular mixed coinductive-inductive type are stream processors [GHP06] given recursively by the 
equation SP A B = {A ^ SP A B) + {B x SP A B). The intention is that SP A B represents continuous 
functions from Stream A to Stream B, meaning that only finitely many A's are taken from the input 
stream before a B is emitted on the output stream. This property can be ensured by nesting a least 
fixed-point into a greatest one: SP A S = vX.jxY. (A Y) + {B x X) [Abe07, GHP09]. The greatest 
fixed-point unfolds to jxY. {A ^ Y) + {B x SP A B), hence, whenever we chose the second alternative, 
the least fixed-point is "restarted". Thus, we can conceive SP A B by a lexicographic ordinal iteration 

SPABaj8= Pi U (A^SPABai3') + (BxSPABa'oo) 

a'<a j3'</3 

where 00 represents the closure ordinal. The nesting is now defined by the lexicographic recursion pattern, 
so we do not need to represent it in the order of quantifiers. Pushing them in maximally yields an 
alternative definition: 

SP AB a 15 = {A |J SP AB a p') + {Bx f] SPABa'oo) 

j}'<P a'<a 

This variant is close to the mixed data types of Agda [DA 10], where recursive occurrences are inductive 
unless marked with 00: 

data SP (A B : Set) : Set where 

get : (A ^ SP A B) ^ SP A B 

put : B ^ 00 CSP A B) SP A B 
In Agda, one cannot specify the nesting order, it always considers the greatest fixed-point to be on the 
outside [AD 10]. 

Let us program with mixed types via bounded quantification in Mini Agda! The type of stream 
processors is defined recursively, with lexicographic termination measure I i , j I . The bounded existential 
3/ < j.T has concrete syntax [j ' <j] & T, and Either X Y with constructors left: X — > Either 
X Y and right : Y — > Either X Y is the (definable) disjoint sum type. We directly code the "mixed" 
definition of SP: 

cofun SP : -(A : Set) +(B : Set) -(i : Size) +(j : Size) |i,j| Set 
{ SP A B i j = Either (A ^ [j ' < j] & SP A B i j ' ) 

(B & ([i' < i] ^ SP A B i' #)) 

} 

pattern get £ = left f 
pattern put b sp = right (b , sp) 

We can run a stream processor of depth / and height j on an A-stream of unbounded depth (00) to yield a 
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S-stream of depth / (this is also called stream eating [GHP09]). If the stream processor is a get /, we feed 
the head of the stream to /, getting an new stream processor of smaller height (index j), and continue 
running on the stream tail. If the stream processor is a put b sp, we produce a Xi' < i delayed stream 
whose head is b and tail is computed by running sp, which has smaller depth (index z) but unbounded 
height (index j). 

cofun run : [A, B : Set] [i, j : Size] ^|i,j|-^SPABij^ Stream A # ^ 
Stream B i 

{ run A B i j (get f) as = case f (head A # as) 

{ ( j ' . sp) run A B i j ' sp (tail A # as) } 
; run A B i j (put b sp) as = Ai' — > (b, run A B i' # (sp i') as) 
} 

A final note on quantifier placement: For monotone F and /I" = F (Uj3<a ) we have Ji"^F = ji'^^^F . In 
particular fjf'F = F_L, thus for the list generator F X = T +A x X the first approximant ff'F is not empty 
but contains exactly the empty list. Type /T^f contains the lists of maximal length a. This encoding of 
data type approximants is more suitable for size arithmetic and has been advocated by Barthe, Gregoire, 
and Riba [BGROSb]; in practice, it might be superior — time will tell. 

5 Conclusions 

We have given a short introduction into a type system for termination based on ordinal iteration. Bounded 
size quantification, inspired by inflationary fixed points, and recursion with ordinal lexicographic termi- 
nation measures are sufficient to encode inductive and coinductive types and recursive and corecursive 
definitions and all mixings thereof. The full power of classical ordinals is not needed to justify our recur- 
sion schemes: We only need a well-founded order < that is "long enough" and has a successor operation. 
I conjecture that set induction or constructive ordinals (Aczel and Rathjen [AR08]) can play this role, 
leading to a constructive justification of type-based termination. 

While our prototype MiniAgda lacks type reconstruction needed for an enjoyable programming ex- 
perience, it is evolving into a core language for dependent type theory with termination certificates. Our 
long-term goal is to extend Agda with type-based termination in a way that most termination certificates 
will be constructed automatically. MiniAgda could serve as an intermediate language that double-checks 
proofs constructed by Agda, erases static code, and feeds the rest into a compiler back-end. 

Acknowledgements. I am grateful for discussions with Cody Roux which exposed a problem with Mini- 
Agda's pattern matching and set me on the track towards bounded quantification as basic principle for 
type-based termination. Thanks to Brigitte Pientka for many discussions on sized types and the invitation 
to McGill, where some ideas of this paper prospered. Finally, I thank the MiniAgda users, especially Nils 
Anders Danielsson and David Thibodeau, who have coped with the user-unfriendliness of the system and 
kept me busy fixing bugs. 
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